Creating security policies
Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services
In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate
For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.
To configure an FSSO authentication security policy – web-based manager:
1. Go to Policy & Objects > Policy > IP4 and select Create New.
2. Enter the following information.
Incoming Interface port1
Source Address company_network
Source User(s) fsso_group
Outgoing Interface port2
Destination Address all
Service HTTP, HTTPS, FTP, and Telnet
UTM Security Profiles ON for AntiVirus, IPS, Web Filter, and Email Filter, all using default pro- files.
Log Allowed Traffic ON. Select Security Events.
3. Select OK.
4. Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.
To create a security policy for FSSO authentication – CLI:
config firewall policy edit 0
set srcintf port1 set dstintf port2
set srcaddr company_network set dstaddr all
set action accept
set groups fsso_group set schedule always
set service HTTP HTTPS FTP TELNET
set nat enable end
Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.
Enabling guest access through FSSO security policies
You can enable guest users to access FSSO security policies. Guests are users who are unknown to Windows AD and servers that do not logon to a Windows AD domain.
To enable guest access in your FSSO security policy, add an identity-based policy assigned to the built-in user group SSO_Guest_Users. Specify the services, schedule and UTM profiles that apply to guest users — typically guests have access to a reduced set of services. See Creating security policies on page 548.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos